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Abstract 

Although  the  origins  of  information  warfare  lie  in  the  defense  of  critical  computer 
systems,  defensive  information  warfare  (DIW)  per  se  has  advanced  little  beyond  an 
information  assurance  model.  Information  assurance  is  an  integral  part  of  any  military 
organization’s  operations,  but  it  falls  far  short  of  meeting  the  needs  for  robust  defense 
of  critical  command-and-control  (C2)  computer  networks  against  a  sophisticated  ad¬ 
versary.  By  looking  at  the  ways  that  militaries  have  responded  to  challenging  defen¬ 
sive  situations  in  the  past,  some  insights  can  be  made  into  the  nature  of  IW  and  poten¬ 
tial  application  of  conventional  operations.  This  paper  examines  defensive  tactics  and 
strategies — from  the  German  defense  in  depth  that  emerged  from  World  War  I  to  the 
American  Active  Defense  that  developed  in  the  Cold  War — and  proposes  a  new 
mindset  for  DIW  that  draws  on  these  operational  concepts  from  military  history. 


Introduction 

Many  military  theorists  who  have  discussed  information  warfare  (IW)  rightfully 
point  out  that  the  United  States,  because  of  its  civilian  and  military  dependency  on  infor¬ 
mation  technology  (IT)  systems,  is  vulnerable  to  attacks  on  those  systems.1  In  fact,  some 
argue  that  the  United  States  is  the  most  vulnerable  of  any  nation.  It  makes  sense,  then, 
that  even  though  the  U.S.  military  has  not  yet  launched  a  computer  network  attack  against 
enemy  IT  systems  in  a  conflict,  the  defense  of  its  own  networks  has  been  a  high  priority.2 
It  would  follow  that  the  U.S.  military  therefore  must  have  a  rigorous  program  for  defen- 


1  See,  for  example,  the  scenarios  presented  in  B.  Berkowitz,  “Warfare  in  the  information  age,”  In:  Informa¬ 
tion  Age  Anthology  Volume  /,  D.S.  Alberts  and  D.S.  Papp  (eds),  (Washington  D.C.:  DoD  C4ISR  Coopera¬ 
tive  Research  Program,  2001)  and  Center  for  Strategic  and  International  Studies,  Cyber  crime  ...  Cyberter- 
rorism  ...  Cyberwarfare  (Washington  D.C.:  CSIS  Press,  1998). 

2  A  cyber  attack  is  not  the  only  means  of  offensive  information  warfare.  By  the  U.S.  Department  of  De¬ 
fense  definition  of  information  operations,  many  activities  could  count  as  offensive  actions,  such  as  the  use 
of  leaflets,  the  distribution  of  food,  and  press  conferences.  For  the  purposes  of  considering  threats  to  com¬ 
puter  networks,  this  paper  will  focus  on  attacks  that  degrade,  disrupt,  deny,  or  destroy  those  networks. 
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sive  information  warfare  (DIW;  also  referred  to  as  IW-D),  with  specific  tools  and  tech¬ 
niques  designed  for  exclusive  use  in  war.  A  review  of  its  doctrine  and  planning,  however, 
shows  the  opposite.  In  the  field  of  DIW,  the  U.S.  military  draws  no  distinction  between 
what  is  done  in  peace  and  in  war,  and  offers  little  outside  of  generic  information  assur¬ 
ance.  This  philosophy  may  have  advantages  in  seeming  to  carry  a  perpetually  high  degree 
of  readiness,  but  it  disintegrates  under  close  inspection.  A  review  of  the  current  concepts 
in  DIW  and  an  examination  of  the  underlying  principles  show  that  they  are  inadequate  for 
the  defense  of  critical  command,  control,  communications,  computers,  intelligence,  surveil¬ 
lance,  and  reconnaissance  (C4ISR)  networks  in  a  conflict  with  a  sophisticated  adversary. 


Current  Concepts  in  Defensive  Information  Warfare 

As  with  other  concepts  related  to  information-age  warfare,  DIW  can  mean  several 
things,  depending  on  the  context.3  Unlike  some  of  these  concepts,  however,  DIW  has  not 
been  explored  to  the  same  extent.  There  are  relatively  few  official  documents  that  discuss 
it  and  little  published  literature  on  the  topic.  To  set  a  foundation  for  an  in-depth  explora¬ 
tion,  it  is  important  to  understand  DIW  in  doctrine,  theory,  and  practice. 


Doctrine 

The  U.S.  Department  of  Defense  (DoD)  defines  DIW  as  a  subset  of  defensive  in¬ 
formation  operations  (10).  Defensive  10  consists  of: 

The  integration  and  coordination  of  policies  and  procedures,  operations,  personnel, 
and  technology  to  protect  and  defend  information  and  information  systems.  Defen¬ 
sive  information  operations  are  conducted  through  information  assurance,  physical 
security,  operations  security,  counter-deception,  counter-psychological  operations, 
counterintelligence,  electronic  warfare,  and  special  information  operations.  Defensive 
information  operations  ensure  timely,  accurate,  and  relevant  information  access  while 
denying  adversaries  the  opportunity  to  exploit  friendly  information  and  information 
systems  for  their  own  purposes.4 

This  definition  is  discussed  in  depth  in  Joint  Publication  3-13,  “Joint  Doctrine  for  Infor¬ 
mation  Operations,”  which  devotes  the  third  chapter  to  defensive  10.  Joint  doctrine  fo¬ 
cuses  primarily  on  operations  security  (OPSEC)  and  risk  management.  The  chapter  em¬ 
phasizes  identifying  assets,  vulnerabilities,  and  protective  measures,  and  the  steps  to 
restore  systems  if  attacked.  The  text  devoted  to  response  includes  law  enforcement  activ¬ 
ity,  diplomatic  actions,  economics  sanctions,  and  military  force.  Succinctly,  defensive  10 
is  meant  to  provide  “protection,  detection,  restoration,  and  response.” 


3  See,  for  example,  the  discussion  of  value  and  shared  awareness  in  R.E.  Giffin  and  D.J.  Reid,  “A  Woven 
Web  of  Guesses,”  presented  at  the  8th  International  Command  and  Control  Research  and  Technology  Sym¬ 
posium,  Washington  D.C.,  June  17-19, 2003. 

4  U.S.  Department  of  Defense,  Joint  Pub  3-13,  Joint  Doctrine  for  Information  Operations,  1998,  GL-5.  This 
term  and  its  definition  are  approved  for  inclusion  in  the  next  edition  of  Joint  Pub  1-02. 
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This  same  vision  is  reflected  in  the  U.S.  Air  Force  Doctrine  Document  2-5,  “In¬ 
formation  Operations.”  In  fact,  the  concept  is  further  diluted.  In  place  of  the  term  defen¬ 
sive  10,  the  Air  Force  uses  defensive  counterinformation  operations,  a  wider-ranging 
term  to  include  counter  propaganda  and  public  affairs,  in  addition  to  the  DIO  activities 
outlined  above.  In  this  implementation,  the  defensive  concept  encompasses  the  protection 
of  any  information-based  process  in  military  activity,  but  loses  a  distinct  role  in  wartime 
altogether.  Remarkably,  Air  Force  doctrine  does  not  address  response  to  cyber  attack  in 
any  way  except  in  an  example  where  the  Air  Force  Computer  Emergency  Response 
Team  (AFCERT)  recommended  blocking  certain  e-mail  and  web  page  attacks  from  Air 
Force  networks.5 

The  limitation  of  this  definition  is  the  mindset  it  represents,  where  the  emphasis  is 
on  passive  monitoring  and  basic  OPSEC  procedures.  This  shortcoming  is  acknowledged 
in  the  Joint  Information  Operations  Planning  Handbook,  which  states  that  so  little  has 
been  written  on  full  spectrum  defensive  10  planning  that  it  “leaves  one  with  the  distinct 
impression  that  Defensive  10  equals  IA  [information  assurance]  and  CND  [computer 
network  defense].”6  Unfortunately,  the  document  does  not  offer  any  additional  ideas,  ad¬ 
hering  to  the  same  generic  risk  management  methodology.  U.S.  doctrine  regarding  DIW  is 
at  best  poorly  conceptualized.  In  attempting  to  account  for  every  possible  threat  to  informa¬ 
tion,  it  provides  almost  no  guidance  for  response  to  a  cyber  attack  in  wartime  conditions  or 
preparations  for  improving  defense  prior  to  an  attack.  In  this  light,  DIW  doctrine  leaves  the 
military  with  little  information  concerning  network  defense  in  war. 


Theory 


In  many  areas  of  the  military  arts,  doctrine  can  lag  behind  theory.  Individuals  who 
are  outside  of  the  military  establishment  (or  inside,  but  on  the  fringe)  have  more  freedom 
to  discuss  new  concepts  and  write  about  the  potential  implementation  of  new  tools  or  new 
organizational  concepts.  In  some  cases,  this  is  a  necessity,  as  new  technologies  are  intro¬ 
duced  from  the  outside  and  must  be  adapted  for  military  use  (e.g.,  the  airplane).  In  others, 
the  military  itself  forges  the  new  path  (e.g.,  the  submarine).  IW  theory  tends  to  follow  the 
former,  where  many  people  discuss  potential  implementation  of  IW  concepts.  Given  the 
state  of  DIW  doctrine,  one  might  expect  to  find  more  or  different  ideas  in  the  literature. 
Unfortunately,  DIW  theory  is  not  far  ahead  of  doctrine  at  all. 

The  National  Defense  University  press  published  the  major  work  on  the  issue  (ti¬ 
tled  Defensive  Information  Warfare  by  David  Alberts)  in  1996.  Alberts  looks  at  the  topic 
broadly  to  include  the  threat  of  attacks  on  civilian  infrastructure.  This  breadth  is  reflected 
in  his  definition  of  DIW:  “all  actions  taken  to  defend  against  information  attacks,  that  is, 
attacks  on  decision  makers,  the  information  and  information-based  processes  they  rely 


5  U.S.  Air  Force,  Doctrine  Document  2-5,  “Information  Operations,”  2002,  p  19. 

6  Joint  Forces  Staff  College,  “Joint  Information  Operations  Planning  Handbook, ’’(Norfolk,  Virginia:  Na¬ 
tional  Defense  University,  2003),  p.  VI-3. 
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on,  and  their  means  of  communicating  their  decisions.”7  It  is  also  manifest  in  his  solution: 
general  deterrence  is  seen  as  the  major  contributor  to  U.S.  DIW  efforts. 

Alberts  does  provide  direction  for  other  aspects  of  a  national  DIW  strategy.  Al¬ 
though  he  admits  that,  “there  is  poor  ability  to  identify  which  assets  are  critical  because 
attacks  on  seemingly  insignificant  systems  can  cause  cascading  failures  in  critical  sys- 

O 

terns,”  his  approach  is  to  rank  systems  from  unimportant  to  critical,  and  then  defend 
them  with  increasing  levels  of  effort.  The  “lowest  defenses  block  common  or  ‘everyday’ 
attacks.  More  sophisticated  attacks  are  faced  with  more  stringent  defenses,  and  strategic 
attacks  face  the  most  intricate  defense.”9  (Alberts  refers  to  this  as  “defense  in  depth.”) 
Although  appealing  at  a  high  level,  the  book  does  not  solve  the  basic  problems  that  are  at 
the  heart  of  IW:  in  an  interconnected  sector  of  networks  defended  at  their  perimeters,  it  is 
tremendously  difficult  to  separate  the  most  critical  assets  from  the  least  valuable,  and  to 
differentiate  the  common  attacks  from  the  strategic.  In  the  end,  the  reader  is  left  without  a 
clear  idea  of  how  to  implement  such  a  strategy  on  any  level. 

A  1999  RAND  report  by  Robert  H.  Anderson  and  colleagues  attempted  to  pursue 
a  more  detailed  approach  in  this  direction.  Although  Securing  the  U.S.  Defense  Informa¬ 
tion  Infrastructure  has  a  similar  theme  as  Defensive  Information  Warfare,  its  analysis  is 
more  focused  in  that  it  addresses  only  DoD  systems  for  command,  control,  communica¬ 
tions,  and  intelligence  (C3I),  while  providing  categories  for  vulnerabilities  and  mitigation 
strategies.  Within  that  set  of  systems,  it  attempts  to  define  a  “minimum  essential,”  but 
Anderson  quickly  concedes  that  “any  attempt  to  mark  off  part  of  the  information  infra¬ 
structure  as  ‘minimum  essential’  quickly  dissolves  into  the  realization  that  just  about  eve¬ 
rything  must  be  included.”10  Without  resolving  that  dilemma  entirely,  the  authors  intro¬ 
duce  a  six-step  process,  the  first  two  dedicated  to  identifying  critical  functions,  and  the 
systems  that  rely  on  them.  The  remaining  steps  are  to  identify  vulnerabilities,  identify 
countermeasures,  implement  countermeasures,  and  test  countermeasures. 

Anderson  and  colleagues  argue  that  their  process  cannot  be  a  centralized  effort, 
but  instead  requires  local  implementation.  As  importantly,  the  book  discusses  defense  in 
depth  (albeit  with  a  different  definition  than  Alberts)  “in  which  multiple  levels  of  such 
hardening  and  monitoring  are  employed  to  catch  perpetrators  penetrating  the  initial  sys¬ 
tem  defenses.”11  One  potential  additional  defense  the  authors  discuss  is  a  honeypot  (see 
Box  1)  This  honeypot  would  be  used  to  “detain  perpetrators  long  enough  to  allow  better 
understanding  of  their  sophistication,  modus  operandi,  and  interests,  and  to  allow  trace- 


7  D.S.  Alberts,  Defensive  Information  Warfare  (Washington  D.C.:  National  Defense  University  Press, 
1996),  p  4. 

8  D.S.  Alberts,  Defensive  Information  Warfare  (Washington  D.C.:  National  Defense  University  Press, 
1996),  p  36. 

9  D.S.  Alberts,  Defensive  Information  Warfare  (Washington  D.C.:  National  Defense  University  Press, 
1996),  p  40. 

10  R.H.  Anderson,  P.  M.  Feldman,  S.  Gerwehr,  B.  Floughton,  R.  Mesic,  J.D.  Pinder,  J.  Rothenberg,  and  J. 
Chiesa,  Securing  the  U.S.  Defense  Information  Infrastructure:  A  Proposed  Approach,  (Santa  Monica, 
Calif.:  RAND,  1999),  p  9. 

11  R.FI.  Anderson,  et  al.,  Securing  the  U.S.  Defense  Information  Infrastructure:  A  Proposed  Approach, 
(Santa  Monica,  Calif.:  RAND,  1999),  p  9. 
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back  of  their  access  route.”  Although  Anderson  approaches  the  problem  from  the  bot¬ 
tom  up  (vice  Alberts’  top-down  approach),  he  and  Alberts  arrive  at  the  same  hopeful 
conclusion  that  a  risk  management  approach  can  secure  DoD’s  networks. 

By  comparison,  the  Defense  Science  Board  presents  a  much  darker  outlook  in  its 
two  reports  on  this  topic.  Its  1996  report  called  for  improvements  in  basic  capabilities 
such  as  damage  control  and  impact  assessments;  its  2001  report  starkly  concluded  that 
“DoD  cannot  today  defend  itself  from  an  Information  Operations  attack.”  Although  the 
conclusions  are  similar,  the  Defense  Science  Board  took  different  approaches  in  its  re¬ 
ports.  The  first  looked  broadly  at  the  national  information  infrastructure  and  took  threats 
to  the  economy  and  civilian  functions  into  account.  It  found  DoD’s  ability  to  defend  this 
infrastructure  lacking,  making  recommendations  for  DoD  to  improve  tactical  warning  for 
IW  attack,  capacity  for  damage  control  during  the  attack,  and  tools  to  assess  the  impact  of 
an  attack  afterward.13  Importantly,  this  concentration  on  DoD  ability  to  respond  to  a  war¬ 
time  attack  is  missing  from  both  Alberts  and  Anderson,  whose  approaches  address  gen¬ 
eral  attacks  at  any  time. 

The  second  Defense  Science  Board  report  looked  more  narrowly  at  DoD’s  infor¬ 
mation  infrastructure,  but  also  explored  its  dependence  on  civilian  telecommunications. 
Using  Joint  Vision  2020  as  its  departure  point  for  DoD’s  near-term  capabilities  and 
needs,  and  looking  in  particular  at  the  Global  Information  Grid  (GIG),  the  Defense  Sci¬ 
ence  Board  found  (again)  that  DoD  did  not  have  adequate  programs  and  planning  to  de¬ 
fend  this  infrastructure  from  a  sophisticated  adversary.  Its  recommendations  included 
stronger  architecture  for  the  GIG,  increased  capability  to  detect  intrusions,  and  increased 
research  and  development  on  security  technology.14 


Box  1 :  Honeypots 

Honeypots  are  “systems  designed  to  be  compromised  by  an  attacker.  Once 
compromised,  they  can  be  used  for  a  variety  of  purposes,  such  as  an  alerting 
mechanism  or  deception.”  A  honeynet  is  a  network  of  honeypots  used  “to  learn 
the  tools,  tactics,  and  motives”  of  an  attacker. 

Honeypots  and  honeynets  are  found  most  commonly  as  security  research  tools, 
typically  as  independent  servers  or  networks  that  hackers  attack  at  random. 
Observations  from  such  research  can  identify  the  intentions  or  techniques  used 
by  the  attackers,  and  the  results  are  published  on  such  community  sites  as  the 
Honeynet  Project,  found  at  http://project.honeynet.org. 

Source:  The  Honeynet  Project,  Know  Your  Enemy  (Boston:  Addison-Wesley, 
2002). 


12  R.H.  Anderson,  et  al.,  Securing  the  U.S.  Defense  Information  Infrastructure:  A  Proposed  Approach, 
(Santa  Monica,  Calif.:  RAND,  1999),  p  52. 

13  Defense  Science  Board,  Information  Warfare  -  Defense  (Washington  D.C.:  Office  of  the  Under  Secre¬ 
tary  of  Defense  for  Acquisition  and  Technology,  1996). 

14  Defense  Science  Board,  Defensive  Information  Operations  (Washington  D.C.:  Office  of  the  Undersecre¬ 
tary  of  Defense  for  Acquisition,  Technology,  and  Logistics,  2001). 
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Although  basic  protective  measures  are  essential  to  military  operations,  and  risk 
management  is  a  proven  tool  for  limiting  vulnerability  of  critical  assets,  these  elemental 
documents  (both  in  doctrine  and  in  the  literature)  fall  short  of  providing  a  vision  for  de¬ 
fensive  cyber-based  activity  in  wartime.  This  lack  of  vision  is  reflected  in  the  current 
U.S.  operational  concepts  as  implemented. 


Practice 

Given  the  lack  of  distinction  in  doctrine  between  peacetime  and  wartime  opera¬ 
tions,  and  the  basic  risk  management  approach  outlined  in  the  literature,  it  is  understand¬ 
able  that  there  are  few  plans  for  DIW  operations.  The  strength  of  the  current  DoD  ap¬ 
proach  is  that  it  emphasizes  the  importance  of  daily  defense  and  individual  events.  Its 
basic  weakness  is  that  it  fails  to  acknowledge  that  different  tactics  and  strategies  are 
needed  in  wartime  circumstances.  In  other  words,  DoD  would  argue  that  it  is  currently 
engaged  in  DIW  operations  (or,  more  specifically,  defensive  10  or — more  nebulously — 
defensive  counterinformation  operations).  This  CND  would  consist  of  monitoring  for  in¬ 
trusions,  identifying  viruses  and  worms,  patching  systems  and  applications,  enforcing 
user  authentication  and  privileges,  and  incident  response.  Incident  response  can  include 
the  forensic  investigation,  intelligence  analysis,  and  legal  or  counterintelligence  investi¬ 
gations  or  operations.  This  serves  DoD  well  in  peacetime,  but  these  approaches  do  not 
stand  up  to  scrutiny  when  considered  in  a  wartime  environment. 


Fundamental  Flaws  in  Information  Assurance 

By  the  accepted  definition  (in  doctrine,  theory,  and  practice),  DIW  would  consist 
essentially  of  information  assurance,  albeit  rigorously  enforced.  In  its  ideal  state,  infor¬ 
mation  assurance  means  that  the  following  conditions  are  true: 

1 .  There  are  no  flaws  in  the  hardware  or  software  running  on  a  specific  system. 

2.  There  are  no  implementation  or  configuration  flaws  in  the  system’s  network. 

3.  All  patches  and  anti-virus  or  intrusion-detection  signatures  have  been  updated. 

4.  Only  authorized  users  have  access  to  a  specific  system. 

5.  Those  users  have  only  the  privileges  that  they  need  to  do  their  job. 

6.  No  one  is  acting  against  the  organization’s  interest. 

The  basic  principles  of  information  assurance — maintaining  the  confidentiality,  integrity, 
and  availability  of  network  services  and  data — serve  most  systems  well.  In  an  everyday 
environment,  the  majority  of  system  compromises  result  from  user  error  or  the  exploita¬ 
tion  of  a  known  vulnerability  for  which  a  patch  or  remedy  exists.  When  a  hostile,  sophis¬ 
ticated  adversary  is  introduced,  however,  information  assurance  processes  cannot  stand 
up  to  systematic  challenge.  Information  assurance  is  based  on  the  theory  that  network  se¬ 
curity  is  attainable  in  principle,  that  the  conditions  above  will  work  out  for  the  positive.  If 
any  one  fails,  however,  the  security  of  the  entire  system  will  be  breached.  Unfortunately, 
none  stand  up  under  close  inspection. 
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Flawed  Hardware  and  Software 

Casual  experience  shows  that  the  first  condition  is  false.  Technical  sites  are  up¬ 
dated  daily  with  the  latest  discovered  flaws.  This  is  true  of  operating  systems  (such  as 
Windows  and  Linux),  basic  network  services  (such  as  Domain  Network  Service  and 
Simple  Network  Management  Protocol),  and  applications  (such  as  Microsoft  Internet  In¬ 
formation  Service).  The  fact  that  flaws  in  these  are  discovered  on  a  regular  basis  implies 
that  there  are  more.  From  a  logical  standpoint,  CND  analysts  must  accept  the  premise  that 
flaws  exist  that  have  yet  been  discovered  or  announced,  and — more  importantly — that  it 
is  possible  that  those  flaws  are  currently  being  exploited  without  their  knowledge. 


The  Failure  of  Signature-Based  Defenses 

Acknowledging  that  flaws  exist  and  that  exploits  will  follow  leads  directly  to  the 
need  for  network  defenses,  but  the  most  common  defenses  are  also  philosophically 
flawed.  Both  anti-virus  software  and  most  intrusion  detection  systems  are  based  on  rec¬ 
ognizing  the  activity  or  characteristics  of  known  malicious  code  (the  code’s  signature ). 
This  can  be  the  name  of  an  executable,  the  size  of  an  e-mail  attachment,  the  port  a  worm 
uses,  or  any  other  number  of  characteristics.  By  definition,  these  are  created  after  the  ma¬ 
licious  code  is  detected  and  analyzed.  This  explains  why  an  Internet  worm  can  be  caught 
by  a  firewall  or  anti-virus,  yet  its  immediate  variant  cannot.  Malware  writers  sometimes 
make  only  minimal  changes  in  a  worm  to  alter  its  signature.  Regardless,  from  a  logical 
standpoint,  network  engineers  must  accept  the  premise  that  even  rigorous  application  of 
signature  files  will  not  protect  their  networks  against  malicious  code  that  has  not  been 
encountered  before.  For  large  outbreaks,  it  is  can  be  a  small  amount  of  time — a  matter  of 
hours — before  the  signature  update  is  ready.  Unfortunately,  with  recent  malware,  worms 
have  propagated  worldwide  within  minutes.  Both  the  Slammer  worm  (MS-SQL  Server 
Worm)  and  MyDoom.A  saturated  the  Internet  before  the  signature  file  updates  were 
available.  If  a  malware  writer  were  to  target  a  specific  organization  with  a  customized 
worm,  a  signature  may  never  exist.  So  the  CND  analyst  must  admit  that  the  network — 
although  protected  against  all  past  worms  and  hacker  tools — may  well  be  defenseless 
against  the  worm  released  tomorrow  and  the  hacker  with  a  brand  new  exploit. 


The  Failure  of  One-Time  Authentication 

Even  if  the  network  engineers  have  properly  configured  their  networks,  installed 
the  most  recent  patches,  and  updated  the  very  latest  anti-virus  signatures,  CND  analysts 
cannot  assume  that  no  exploits  will  succeed  from  the  outside.  A  quick  review  of  the  users 
who  are  logged  into  the  system  show  that  they  are  all  legitimate,  but  this,  too,  is  a  logical 
trap.  The  overwhelming  majority  of  networks  today  require  a  one-time  authentication: 
typically  a  user  name  and  a  password.  Countless  studies,  however,  have  demonstrated  the 
weakness  in  this  system.15  The  tension  between  easily  remembered  passwords  and  suffi- 


15  For  an  illustrative  example,  see  the  Infosecurity  Europe  press  release  from  April  15,  2003,  “Office  work¬ 
ers  give  away  passwords  for  a  cheap  pen,”  www.infosec.co.uk/page.cfm/T=m/Action=Press/PressID=3. 
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ciently  secure  passwords  tends  to  break  along  the  lines  of  convenience.  Most  passwords 
are  still  easily  guessed.  Others  are  too  complex,  and  written  down  near  the  computer. 
Unless  the  organization  has  rigorous  review  of  passwords  and  enforcement  of  rules  that 
infuse  some  security  into  the  system,  one-time  authentication  remains — and  will  re¬ 
main — weak.  Unfortunately,  the  trends  point  to  consolidation  of  one-time  authentication, 
manifest  in  “single  sign-on,”  which  allows  users  to  log  in  to  numerous  systems  through  a 
single  set  of  keys  activated  with  one  password.  Ultimately,  all  the  network  administrator 
really  can  attest  with  certainty  is  that  everyone  logged  in  has  an  authentic  user  name  and 
password.  Whether  the  people  using  those  accounts  actually  correspond  to  their  owners  is 
a  completely  separate  issue.  If  an  intruder  can  guess  a  password,  obtain  the  password 
through  malicious  code,  or  change  the  password  through  social  engineering,  the  intrusion 
detection  system  may  have  nothing  at  all  to  detect.  From  a  logical  standpoint,  CND  ana¬ 
lysts  must  accept  the  premise  that  simple  user  authentication  is  weak,  and  that  it  is  possi¬ 
ble  that  unauthorized  users  are  currently  using  the  network  without  being  detected. 


The  Reality  of  Complexity 

Even  with  the  very  simple  scenarios  described  above,  the  security  of  the  network 
can  be  considered  to  be  straightforward.  In  practice,  the  network  is  vastly  more  complex. 
Hardware  components  can  have  default  logins.  Some  users  log  in  from  home  or  while  on 
travel.  The  computers  they  are  using  may  have  some  flaw  that  the  network  engineer  can¬ 
not  control  or  they  may  be  running  outdated  anti-virus  software.  Outside  organizations 
have  connectivity  to  parts  of  the  network.  The  interaction  of  operating  systems  and  hard¬ 
ware  cause  unforeseen  consequences  for  security.  C4ISR  networks  will  be  just  as  com¬ 
plex.  The  GIG  and  the  systems  it  supports  (such  as  the  Global  Combat  Support  System 
and  the  Joint  Global  Command  and  Control  Systems)  will  involve  tactical  radios,  satellite 
and  air  communications,  and  fiber  optic  backbones.  It  is  meant  to  connect  DoD  intelli¬ 
gence  and  combat  assets  around  the  globe,  and  support  coalition  forces  as  needed.  Each 
entry  point,  data  exchange,  and  dependency  will  complicate  the  GIG’s  security. 

Of  course,  there  are  a  number  of  technical  solutions  to  individual  security  prob¬ 
lems.  Some  anti-virus  and  intrusion  detection  software  is  behavior  based.  Some  software 
will  make  a  baseline  of  a  user’s  normal  activity  and  report  anomalies  that  could  reveal 
unauthorized  use  of  the  account.  Public  Key  Infrastructure  (PKI)  and  smart  cards  can 
build  in  additional  layers  of  authentication.  Even  so,  each  of  these  processes  rely  on  hu¬ 
mans  and  security  often  suffers.  Digital  certificates  have  been  stolen.16  Users  allow  others 
to  log  in  with  their  accounts.  Administrators  download  unauthorized  tools  or  software. 
For  a  network  that  is  actually  being  used,  the  complexity  is  very  high,  and  this  erodes  se¬ 
curity.  The  information  assurance  model,  therefore,  can  never  attain  its  ideal  state;  too 
many  conditions  simply  cannot  be  met.  Yet  current  DIW  doctrine  and  theory  puts  infor¬ 
mation  assurance  at  the  heart  of  its  risk  management-based  strategy. 


16  National  Infrastructure  Protection  Center,  “Warning  not  to  accept  VeriSign  Microsoft  digital  certificates 
dated  January  29-30, 2001,”  Advisory  01-006,  March  23,  2001. 
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The  Limits  of  Risk  Management 

The  basis  for  risk  management  is  that  organizations  make  conscious  decisions 
about  what  risks  they  will  accept  and  which  they  will  mitigate.  This  works  well  for  many 
processes,  and  for  physical  security.  For  digital  security,  however,  the  logic  fails.  Too 
many  real-world  examples  demonstrate  that  networks  connected  to  the  Internet  can  be 
compromised  from  the  outside.  Too  many  cases  of  insider  activity  illustrate  the  damage 
that  legitimate  users  can  do.  These  risks  may  be  acceptable  if  the  organization  has  the 
time  to  identify  and  mitigate  the  intrusions  and  compromises.  This  luxury,  however,  will 
not  be  available  in  wartime;  even  a  small  amount  of  wrong  information  in  a  C4ISR  sys¬ 
tem  “can  have  a  major  impact  on  the  quality  of  situational  understanding  and  lower  the 
chances  of  high-quality  military  decisions.”17  The  consequences  of  a  successful  cyber 
attack,  therefore,  are  unacceptably  high.  Defenses  cannot  be  built  around  a  reactive,  pe¬ 
rimeter-based  philosophy. 

During  a  conflict,  C4ISR  networks  will  be  priority  targets  for  a  technologically 
advanced  adversary.  To  limit  DIW  to  information  assurance  or  risk  management  would 
place  it  entirely  in  the  reactive  mode  of  passively  waiting  for  and  then  responding  to 
countless  exploits.  Making  the  assumption  that  networks  are  secure  and  depending  on 
them  to  operate  normally  is  to  invite  failure.  Logic  demands  that  CND  analysts  and  net¬ 
work  engineers  anticipate  exploits  they  have  not  seen,  malfunctions  that  they  did  not 
foresee,  and  constant  attacks.  From  this  standpoint,  DIW  requires  a  different  philosophy 
for  its  operations. 


A  New  Basis  for  Defensive  Information  Warfare 

Just  as  a  commander  would  not  use  force  protection  concepts  as  a  basis  for  de¬ 
fending  a  geographic  area  from  an  invading  force,  DoD  should  not  use  risk  management 
as  its  basis  for  DIW.  It  should  instead  look  at  military  history  and  doctrine  for  conven¬ 
tional  defensive  operations.  Using  that  information  to  assess  the  situation  for  defending  a 
C4ISR  network,  a  commander  should  see  that  there  are  two  major  challenges.  First,  for 
the  reasons  above,  a  perimeter  defense  is  unlikely  to  succeed.  Second,  he  has  almost  no 
ability  to  counterattack.  This  is  due  to  the  fact  that  incoming  attacks  are  difficult  to  trace 
past  the  attacking  host,  which  is  unlikely  the  point  of  the  attack’s  origin.18  Moreover,  the 
rules  of  engagement  are  still  unclear.  This  could  be  interpreted  as  a  disadvantage  in  fire¬ 
power,  and  fortunately,  there  are  corresponding  tactics  and  strategies  upon  which  a  com¬ 
mander  can  draw.  Most  prominent  among  these  are  the  German  defense  in  depth  that 
emerged  from  World  War  I,  the  American  Active  Defense  that  developed  in  the  Cold  War, 
and  Serbian  use  of  deception  and  denial  against  NATO  in  the  1999  Kosovo  campaign. 


17  D.S.  Alberts,  J.J.  Garstka,  R.E.  Hayes,  and  D.A.  Signori,  Understanding  Information  Age  Warfare 
(Washington  D.C.:  Command  and  Control  Research  Program,  2001),  p.  86. 

18  Digital  attackers  typically  run  their  operations  through  a  series  of  compromised  sites  to  obscure  the  actual 
origin  and  complicate  legal  or  counterintelligence  investigations. 
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Defense  in  Depth 

A  commander  considering  the  defense  of  the  digital  perimeter  should  examine  the 
lessons  learned  from  trench  warfare.  Toward  the  end  of  World  War  I,  German  Army 
commanders  realized  that  the  philosophy  of  rigid  defense  of  forward  trenches  could  be 
maintained  only  with  an  enormous  loss  of  life.  As  an  alternative,  the  Germans  developed 
a  defense-in-depth  strategy.  This  assumed  that  the  outermost  defenses  would  be 
breached;  the  personnel  was  limited,  therefore,  to  lightly  manned  outposts.  The  second 
line,  built  around  machine-gun  nests,  disrupted  the  momentum  of  the  attack,  slowing  its 
progress  while  a  third  line  brought  fire  on  the  enemy.  This  allowed  a  reserve  to  counterat¬ 
tack  and  restore  the  perimeter.19  This  defense  allowed  the  outnumbered  Germans  to 
maintain  both  fronts  until  the  American  Expeditionary  Force  irreversibly  shifted  the  bal¬ 
ance  of  power.  Although  modern  commanders  must  not  weaken  their  digital  perimeters, 
they  must  realize  that  they  are  likely  to  be  penetrated.  Careful  thought,  therefore,  must  be 
put  in  the  second  and  third  lines  of  defense. 

As  mentioned  above,  however,  information  assurance  and  DIW  has  already  seized 
upon  the  term  defense  in  depth.  Unfortunately,  this  concept  has  several  interpretations, 
yet  little  coherence.  For  some,  it  simply  means  that  information  security  policies  are  more 
rigorously  enforced  on  certain  systems.  For  others,  it  means  that  policies  and  procedures 
are  considered  to  be  a  layer  of  defense  that  supplements  technical  defenses.20  In  practice, 
poorly  designed  defense  in  depth  means  that  a  system  has  different  defenses  for  different 
entry  points,  and  if  any  fails,  then  the  system’s  security  is  compromised. 

Drawing  on  the  conventional  defensive  operations  returns  the  focus  to  the  need 
for  multiple  technical  means  for  identifying  anomalous  activity  that  assume  the  other 
means  have  failed.  Behavior-based  anti-virus  and  tools  that  monitor  user  behavior  are 
useful  tools  in  this  capacity,  but  honeypots,  located  behind  the  perimeter,  may  be  the  best 
solution.  Because  no  user  has  a  genuine  need  to  access  the  data  on  a  honeypot,  any  activ¬ 
ity  triggers  an  alarm.  In  this  way,  they  can  detect  the  activity  of  an  intruder  that  has  suc¬ 
cessfully  penetrated  the  firewall  and  other  security  systems  or  an  insider  with  authorized 
access  conducting  unauthorized  activities. 

There  are  multiple  courses  of  action  that  a  counterintelligence  officer  can  take  at 
this  point.  In  peacetime  circumstances,  an  officer  can  dedicate  the  resources  to  allow  the 
intruder  to  continue  as  if  unobserved,  hoping  to  glean  information  about  tradecraft  and 
purposes  of  the  intruder.  In  wartime,  this  may  not  be  possible.  Honeypots  require  a  major 
investment  in  time  from  counterintelligence  analysts  and  system  administrators  to  ensure 
that  the  intruder  is  kept  within  constrained  segments  of  the  network  and  to  analyze  the 
intruder’s  activities  and  effects.  A  more  immediate  benefit  would  be  to  immediately  cut 
off  the  intruder,  letting  the  adversary  know  that  the  operation  was  detected.  The  adver- 


19  W.S.  Lind,  “The  theory  and  practice  of  maneuver  warfare,”  In:  Maneuver  Warfare:  An  Anthology,  R.D. 
Hooker,  Jr.  (ed),  (Novato,  CA:  Presidio,  1993),  p.  6;  J.M.  House,  Combined  Arms  Warfare  in  the  Twentieth 
Century  (Lawrence,  Kansas:  University  Press  of  Kansas,  2001),  pp.  40-43. 

20  D.  Luddy,  “Defense  in  depth:  A  practical  strategy  for  achieving  Information  Assurance  in  today’s  highly 
networked  environments,”  (Ft.  Meade,  Maryland:  National  Security  Agency,  undated). 
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sary  may  then  treat  the  tools  and  techniques  used  to  gain  access  to  the  system  as  burned, 
thereby  denying  the  adversary  further  use.  If  possible,  analysts  could  use  the  information 
from  the  honeypot  to  create  signatures  to  detect  the  activity  and  increase  the  perimeter 
defense  across  DoD.  Honeypots  tend  to  be  used  in  very  small  numbers  or  as  stand-alone 
systems  in  a  honeynet.  In  wartime,  networks  should  have  many  honeypots,  maximizing 
the  chance  that  an  intruder  would  encounter  one.  This  would  serve  to  detect  the  enemy’s 
efforts  better,  slow  the  progress  of  all  further  cyber  operations,  and  potentially  deny  en¬ 
emy  attention  to  specific  systems.  Deployment  should  be  controlled  locally  so  that  com¬ 
manders  can  decide  how  much  time  and  resources  to  invest  in  the  operation. 


Active  Defense 

A  commander  considering  the  inability  to  counterattack  beyond  his  or  her  own 
perimeter  has  many  historical  points  to  contemplate.  In  fact,  this  is  a  situation  to  which 
many  U.S.  adversaries  have  had  to  adapt,  and  some  have  done  so  quite  well.21  The  U.S. 
military  faced  this  problem  in  the  Cold  War,  where  it  struggled  with  the  question  of  how 
to  defend  Western  Europe  from  a  Soviet  invasion.22  Because  NATO  faced  a  numerically 
superior  foe,  it  was  expected  and  presumed  that  simple  hardened  defenses  would  be  over¬ 
run.  Defenses  based  on  a  straightforward  exchange  of  fire  would  also  fail  because  the 
numerical  imbalance  translated  into  a  Soviet  advantage  in  firepower.  In  the  1970s,  Gen¬ 
eral  William  DePuy  led  the  creation  of  the  Active  Defense.  The  strategy  sought  to  funnel 
the  invading  forces,  through  terrain  and  hardening  of  prepared  positions,  into  ground  most 
suitable  for  long-range  artillery  bombardment  and  counterattack.  This  would  help  com¬ 
manders  ascertain  the  enemy’s  main  point  of  attack  and  allow  him  to  concentrate  limited 
resources  to  meet  it.  The  ground  forces  had  to  be  especially  mobile  in  order  to  reinforce 
where  needed,  quickly  capitalize  on  opportunities  to  strike,  and — -just  as  importantly — 
return  to  the  hardened  defenses  before  the  next  wave  of  the  enemy  appeared.23 

Although  Active  Defense  may  not  be  as  easy  to  translate  into  a  digital  defense  as 
defense  in  depth,  there  are  key  concepts  to  apply.  The  first  is  hardened,  prepared  posi¬ 
tions.  In  typical  information  assurance  terms,  hardening  refers  to  deactivating  unneeded 
protocols,  closing  unneeded  ports,  and  ensuring  that  default  logins  are  disabled.  It  can 
also  include  encryption  and  digital  signatures.  A  better  method  for  hardening  a  system 
would  be  to  use  a  restrictive  rather  than  a  permissive  operating  system.  Operating  sys¬ 
tems  are  built  to  run  all  programs,  with  the  exception  of  those  specifically  forbidden 
(typically,  known  malware).  In  contrast,  rigid  execution  control  means  that  all  executa- 


21  R.H.  Scales,  Jr.,  “Adaptive  enemies:  Achieving  victory  by  avoiding  defeat,”  Joint  Forces  Quarterly,  Au¬ 
tumn/Winter  2000  (No.  23):7— 14. 

22  For  a  broad  discussion  of  the  American  response  to  Soviet  numerical  superiority,  see  J.A.  Engel,  “Cold 
War  at  30,000  Feet”  (2001,  PhD  Dissertation,  University  of  Wisconsin-Madison),  pp.  62-66. 

23  P.H.  Herbert,  “Deciding  What  Has  to  Be  Done:  General  William  E.  DePuy  and  the  1976  Edition  of  the 
FM100-5,  Operations,”  Leavenworth  Paper  No.  16,  (Ft.  Leavenworth,  Kansas:  Combat  Studies  Institute, 
U.S.  Army  Command  and  General  Staff  College,  1988),  pp.  79-85. 
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bles  are  forbidden  except  for  an  allowed  set.  This  set  can  be  further  identified  by  a  one¬ 
way  hash  that  ensures  that  the  code  has  not  been  altered.  DoD  should  consider  drastic 
changes  to  its  critical  networks,  including  the  operating  systems. 

The  second  lesson  commanders  might  glean  from  Active  Defense  is  the  need  for 
mobility.  This  principle  can  also  be  enacted  in  cyberspace.  In  peacetime,  an  adversary 
can  quietly  perform  reconnaissance  on  a  network,  identifying  its  routers,  gateways,  serv¬ 
ers,  firewalls,  and  other  components  outside  of  the  DMZ.  This  will  provide  them  with  IP 
addresses,  configuration,  and  baseline  traffic  of  a  network.  In  wartime,  it  would  be  in  the 
interests  of  certain  networks  to  be  able  to  change  its  address,  configuration,  and  perhaps 
even  equipment.  This  would  neutralize  any  past  reconnaissance  that  an  adversary  may 
have  gathered.  If  these  changes  are  made  on  a  sufficient  number  of  systems,  it  will  re¬ 
quire  the  enemy  to  review  all  reconnaissance  information,  even  that  done  of  systems  that 
have  not  changed.  One  possible  method  for  enacting  this  digital  mobility  would  be  to 
have  an  unused  set  of  IP  addresses  at  the  disposal  of  DoD.  Ideally,  rather  than  have  the  IP 
blocks  suddenly  becoming  active  when  needed,  traffic  could  be  artificially  produced  so 
as  to  simulate  activity  in  peacetime.  A  prearranged,  simultaneous  change  to  DoD’s  DNS 
and  BGP  tables  would  activate  the  change  when  needed. 


Deception  and  Denial 

A  U.S.  commander  should  also  look  at  lessons  learned  from  the  adversary’s 
standpoint  to  see  adaptation  to  a  disadvantage  in  firepower.  One  example  is  the  air  war 
over  Kosovo.  In  1999,  NATO  launched  air  operations  over  the  Former  Republic  of 
Yugoslavia  in  an  effort  to  prevent  then-President  Slobodan  Milosevic  from  killing  or 
forcing  the  removal  of  ethnic  Albanians  from  Kosovo.  NATO  commanders  hoped  the 
operation  would  produce  the  desired  results  in  two  days.  Instead,  the  air  campaign  lasted 
over  two  months.  NATO  air  strikes  were  never  able  to  target  Serbian  military  assets  ef¬ 
fectively,  regardless  of  increased  numbers  of  aircraft  in  theater  or  lowering  the  acceptable 
altitudes  of  certain  attack  fighters.25  Rudimentary  deception  and  denial  tactics  such  as 
camouflage  and  simple  decoys  worked  well,  as  did  more  the  sophisticated  tactic  of  ex¬ 
posing  a  real  target  to  surveillance  and  replacing  it  with  a  decoy  for  the  warfighter  to  de¬ 
stroy.26  Eventually,  NATO  expanded  its  target  set  to  include  civilian  infrastructure  to 
bring  pressure  on  Milosevic.27  Regardless,  Serbian  forces  simply  avoided  U.S.  firepower 
by  countering  its  ISR. 


24  For  an  introduction  to  executable  control  lists  see  A.E.  Smith,  “Staying  alert  with  executable  control 
lists,”  Iris  Associates  Inc,  1999.  For  a  more  robust  executable  control  concept  see  M.  Peretti,  “Authenti¬ 
cated  Execution,”  SecureWave,  2002. 

25  P.  Sheets,  “Air  war  over  Serbia,”  In:  Lessons  from  Kosovo:  The  KFOR  Experience,  L.  Wentz  (ed), 
(Washington  D.C.:  DoD  Command  and  Control  Research  Program,  2002). 

26  T.L.  Thomas,  “Kosovo  and  the  current  myth  of  information  superiority,”  Parameters  XXX(l):  13-29. 

27  P.  Sheets,  “Air  war  over  Serbia,”  In:  Lessons  from  Kosovo:  The  KFOR  Experience,  L.  Wentz  (ed), 
(Washington  D.C.:  DoD  Command  and  Control  Research  Program,  2002). 


12 


2004  Command  and  Control  Research  and  Technology  Symposium 


Rethinking  Defensive  Information  Warfare 


In  the  digital  realm,  there  are  some  tools  that  allow  deception.  Some  proponents 
will  put  honeypots  in  the  category.28  It  should  be  noted,  however,  that  these  bring  decep¬ 
tion  to  bear  after  the  intruder  has  penetrated  the  network.  It  would  bring  a  greater  benefit 
to  the  commander  to  focus  the  deception  outside  of  the  firewall,  preferably  countering  the 
adversary’s  scanning  and  probing  that  comes  prior  to  an  attack.  The  adversary’s  reconnais¬ 
sance  must  identify  what  the  perimeter  network  assets  are,  what  operating  systems  they  are 
running,  what  services  are  available  to  outside  networks,  and  what  ports  are  being  used.  To 
use  an  analogy  from  conventional  operations,  deception  and  denial  efforts  targeted  at  this 
reconnaissance  will  be  the  farthest  forward  that  a  defender  can  block  the  attack. 

Digital  deception  and  denial  can  be  achieved  in  a  number  of  ways.  Ideally,  all  in¬ 
coming  scans  and  probes  are  diverted  to  a  simulated  network  that  will  respond  with  au¬ 
thentic  but  incorrect  information.  Some  software  allows  simulated  responses  that  are  gen¬ 
erated  by  a  store  of  known  responses.  This  may  be  satisfactory  for  very  low-level 
attackers,  but  will  not  deceive  a  more  sophisticated  adversary.  It  will  be  important  for 
simulations  to  be  as  authentic  as  possible.  The  decoy  network  can  also  take  several 
shapes,  showing  a  realistic  composition  of  components  or  an  unrealistic  architecture. 
There  are  advantages  to  each.  Realistic-looking  networks  may  absorb  more  of  an  adver¬ 
sary’s  time;  an  unrealistic-looking  network  may  cause  the  adversary  to  turn  his  attention 
elsewhere.  Ideally,  this  capability  would  be  controlled  centrally  so  that  a  higher  command 
can  observe  the  effects  of  certain  deceptions  and  avoid  causing  unintended  consequences 
such  as  funneling  the  adversary  toward  a  network  that  DoD  would  rather  be  left  alone.  If 
orchestrated  properly,  this  capability  would  be  coupled  with  the  others  outlined  above. 
Instead  of  waiting  passively  for  a  cyber  attack  to  arrive,  DoD  could  counter  adversary 
targeting  and  reconnaissance.  Instead  of  trusting  that  the  perimeter  defense  will  check 
every  attack,  multiple  layers  of  defense  will  anticipate,  contain,  and  counter  penetration 
of  C4ISR  networks. 


Conclusions 

Over  the  last  few  years,  the  concept  of  IW  has  lost  much  of  its  emphasis  on  war, 
especially  when  thinking  about  defensive  operations.  When  the  Defense  Science  Board 
stated  that  DoD  could  not  defend  itself  from  an  10  attack,  however,  it  was  not  referring  to 
an  enemy  propaganda  campaign.  DIW  needs  to  focus  on  countering  adversary  cyber  at¬ 
tacks  against  DoD  C4ISR  assets,  to  include  the  GIG,  in  a  wartime  environment.  Although 
there  are  fundamental  differences  between  digital  and  conventional  defenses,  there  are 
many  principles  and  strategies  that  can  be  adapted  to  DIW.  One  of  the  best  aspects  of  the 
American  military  has  been  its  openness  in  discussing  strategic  issues  and  its  willingness 
to  implement  lessons  from  military  history.  It  needs  to  reinvigorate  both  of  these  aspects 
with  regard  to  DIW,  which  is  in  danger  of  stagnating  with  its  logically  flawed  doctrine 
and  practice. 


28  Fred  Cohen  &  Associates,  “The  deception  toolkit,”  available  at  http://all.net/dtk/dtk.html. 
2004  Command  and  Control  Research  and  Technology  Symposium 
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Overview 


•  Current  state  of  DIW 

71  Doctrine 
71  Theory 
71  Practice 

•  Fundamental  Flaws  in  Information  Assurance 
(IA) 

7i  Technical  and  logical  shortcomings 
7i  Limits  of  cyber  risk  management 

•  New  Basis  for  DIW 
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DIW  Defined 


Joint  Pub  3-13 

The  integration  and  coordination  of  policy, 
personnel,  and  technology  to  protect  information 
and  information  systems. 

IA,  physical  security,  OPSEC,  counter-deception, 
counter-psyops,  Cl,  EW,  and  special  information 
operations. 

Ensure  access  while  denying  adversaries  the 
opportunity  to  exploit  friendly  information  and 
information  systems  for  their  own  purposes 

GENERAL.  DYNAMICS 

Advanced  Information  Systems 


DIW  Explained 


•  OPSEC  and  risk  management 

•  Protection,  detection,  restoration,  and 
response 
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DIW  Expanded 


•  Defensive  counterinformation 

•  Counter  propaganda  and  public  affairs 

•  Protection  of  any  information-based  process 
in  military  activity 
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DIW  Doctrine 


•  Emphasis  is  on  passive  monitoring  and  basic 
OPSEC  procedures 

•  Generic  risk  management  methodology 

•  No  guidance  for 

71  preparations  for  improving  defense  prior  to  an 
attack 

7i  response  to  a  cyber  attack  in  wartime  conditions 
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DIW  Theory:  NCI  Focus 


•  1996  NDU  Study 

71  Addressed  defense  of  national  critical 
infrastructure  (NCI)  as  well  as  military 

71  Acknowledges  that  poor  ability  to  identify  which 
assets  are  critical 

7i  Recommends  raising  level  of  defense  to  meet  the 
sophistication  of  the  attack 
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DIW  Theory:  Dll-Focus 


•  1999  RAND  study 

71  Addressed  Defense  Information  Infrastructure 

71  Called  for  definition  of  “minimum  essential” 

7i  Acknowledged  that  “just  about  everything  must  be 
included” 

7i  Set  up  six-step  risk  management  process 


GENERAL.  DYNAMICS 

Advanced  Information  Systems 


Defense  Science  Board  Studies 


•  1996  Report 

71  Looked  at  both  Dll  and  NCI 

71  Called  for  improvements  in  basic  functions 
(warning,  damage  assessment) 

•  2001  Report 

7i  Looked  at  Dll 

7i  Called  for  stronger  architecture  in  the  Global 
Information  Grid,  better  intrusion  detection,  and 
increased  R&D 
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DoD  cannot  today  defend  itself 
from  an  Information  Operations 
attack 

Defense  Science  Board,  2001 
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Current  State  of  Practice 


•  Expansion  of  term,  focus  on  day-to-day 
operations  and  computer  network  defense 
(CND) 

71  Monitoring  for  intrusions 
71  Identifying  malware 
71  Installing  patches 
7i  Incident  response 

•  Emphasis  on  IA 
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Is  IA  a  Solid  Foundation? 


•  Based  on  ideals 

71  Flawless  software 

71  Flawless  implementation  and  configuration 
71  Up-to-date  patches  and  signatures 
7i  Access  limited  to  authorized  users 
7i  Users  have  appropriate  privileges 
7i  No  one  undermining  security 
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Hardware  and  Software 


•  In  reality 

71  Operating  Systems  (e.g.,  Windows) 

71  Fundamental  Services  (e.g.,  BIND) 

71  Applications  (e.g.,  IIS) 

•  Flaws  exist 

7i  Not  just  announced  and  patched  vulnerabilities 
7i  Undiscovered  flaws 
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The  patch  model  for  Internet 
security  has  failed  spectacularly. 

Caida,  2004 
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Signature-Based  Defense 


•  Anti  virus,  intrusion  detection,  firewalls 

71  Rules  are  set  up  to  identify  known  characteristics 
of  existing  exploits  or  malware 

•  By  definition,  reactive 

•  Cannot  stop  the  zero-day  exploit  or  the  latest 
worm 


GENERAL.  DYNAMICS 

Advanced  Information  Systems 


Authentication 


•  Most  networks  require  simple  authentication 

71  Username 
71  Password 

•  Passwords  are  notoriously  insecure 

•  Moving  toward  “single  sign-on” 

•  Poor  verification  of  authorized  use  of  network 
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The  Reality  of  Complexity 


•  In  theory,  network  security  should  be 
straightforward 

•  In  practice,  it  is  complex 

71  Interactions  of  hardware,  software 
71  Mobile  users 
71  Personal  equipment 

•  There  are  individual  solutions  to  each 
problem,  but  each  solution  has  its  own 
vulnerabilities  and  problems 
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Implications  for  Risk  Management 


•  Poor  definition  of  “critical”  assets 

71  May  be  no  differentiation 

•  In  peacetime,  risk  may  be  acceptable 

71  Time  to  investigate  intrusions 
71  Personnel  to  respond  to  incidents 

•  In  wartime,  the  risk  is  unacceptable 

7i  Against  a  sophisticated  adversary,  IA  certain  to 
fail 

7i  A  small  amount  of  wrong  of  unavailable  data  can 
have  a  large  impact  on  military  decisions 
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New  Basis  for  DIW 


•  Examine  military  history 

•  Draw  analogies 

71  Perimeter  defense  unlikely  to  succeed 
71  Limited  ability  to  counterattack 

•  Historical  examples 

71  German  defense  in  depth  from  WWI 
7i  American  active  defense  from  Cold  War 
7i  Serbian  defense  of  NATO  Kosovo  air  campaign 
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WWI  Perimeter  Defense 
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WWI  Defense  in  Depth 
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Lessons  Drawn 


•  Even  with  forward-deployed  forces,  perimeter 
will  be  penetrated 

•  Detection  and  reaction  are  part  of  defense 
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Network  Perimeter  Defense 
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Network  Perimeter  Defense 
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Network  Defense  in  Depth 
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From  Forward  Defense  to  Active 
Defense _ 

•  US  faced  numerically  superior  foe 

•  Active  Defense 

71  Firepower  disadvantage 

71  Knew  forward  positions  would  be  overrun 

7i  Response:  hardening  combined  with  mobility 
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Cold  War:  European  Defense 
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•  Hardening 

71  Locked  down  operating  system 

■  Rigid  execution  control 

•  Mobility 

71  Countering  adversary  reconnaissance 
71  Changes  in 

■  IP  addresses 

■  Configuration  (including  DNS  and  BGP) 

■  Equipment 
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ource:  Global  Security 


Lessons  drawn 


•  Deception  and  denial 

71  Neutralize  enemy  firepower  advantage  by 
countering  intelligence,  surveillance,  and 
reconnaissance 
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Network-based  Deception 


•  Not  necessarily  honeypots 

•  Targeted  at  adversary  reconnaissance 

71  Simulated  responses 
71  Diverted  traffic  to  real  networks 

•  Should  be  tailored 

71  Could  draw  in  adversary 
7i  Could  discourage  adversary 

•  Should  be  centrally  controlled 
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Integration 


•  If  combined 

71  Counter  pre-crisis  adversary  reconnaissance  with 
mobility 

71  Counter  reconnaissance  during  crisis  or  war  with 
deception 

71  Detect  insider  threat  and  network  penetration 

7i  Harden  certain  systems  to  better  protect  critical 
systems 

•  Prepare  DoD  systems  for  war 
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Summary 


•  IW  has  lost  emphasis  on  war 

•  DIW  has  lost  any  concept  of  escalation  for 
crisis  or  conflict 

•  Military  history  can  illustrate  adaptations  in 
the  face  of  adversity 

•  DIW  needs  to  look  to  military  history  to 
reinvigorate  review  of  strategic  needs 
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